Extreme Networks VSAs

VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login contains the Vendor Specific Attribute (VSA) definitions that a RADIUS server can send to an Extreme switch after successful authentication.

These attributes must be configured on the RADIUS server along with the Extreme Networks Vendor ID, which is 1916.

Table 1. VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login
VSA Attribute Type Format Sent-in Description
Extreme-CLI-Authorization 201 Integer Access-Accept Specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
Extreme-Netlogin-VLAN-Name 203 String Access-Accept Name of destination VLAN after successful authentication (must already exist on switch).
Extreme-Netlogin-URL 204 String Access-Accept Destination web page after successful authentication.
Extreme-Netlogin-URL-Desc 205 String Access-Accept Text description of network login URL attribute.
Extreme-Netlogin-Only 206 Integer Access-Accept Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods.
Extreme-User-Location 208 String
Extreme-Netlogin-VLAN-ID 209 Integer Access-Accept ID of destination VLAN after successful authentication (except for dynamic VLANs, must already exist on switch).
Extreme-Netlogin-Extended-VLAN 211 String Access-Accept Name or ID of the destination VLAN after successful authentication (must already exist on switch).
Note: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN. See the guidelines listed in the section VSA 211: Extreme-Netlogin-Extended-Vlan for more information.
Extreme-Security-Profile 212 String Access-Accept Specifies a universal port profile to execute on the switch. For more information, see Universal Port.
EXTREME_VM_NAME 213 String Access-Accept Specifies the name of the VM that is being authenticated . Example: MyVM1
EXTREME_VM_VPP_NAME 214 String Access-Accept Specifies the VPP to which the VM is to be mapped. Example: nvpp1
EXTREME_VM_IP_ADDR 215 String Access-Accept Specifies the IP address of the VM . Example: 11.1.1.254
EXTREME_VM_CTag 216 Integer Access-Accept Specifies the ID or tag of the destination VLAN for the VM . Example: 101
EXTREME_VM_VR_Name 217 String Access-Accept Specifies the VR in which the destination VLAN is to be placed. Example : UserVR1

The examples in the following sections are formatted for use in the FreeRADIUS users file. If you use another RADIUS server, the format might be different.

Note

Note

For information on how to use and configure your RADIUS server, refer to the documentation that came with your RADIUS server.

For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.

VSA 201: Extreme-CLI-Authorization

This attribute specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.

If command authorization is disabled, the user has full access to all CLI commands. If command authorization is enabled, each command the user enters is accepted or rejected based on the contents of the profiles file on the RADIUS server.

When added to the RADIUS users file, the following example enables command authorization for the associated user:

Extreme: Extreme-CLI-Authorization = enabled

When added to the RADIUS users file, the following example disables command authorization for the associated user:

Extreme: Extreme-CLI-Authorization = disabled

VSA 203: Extreme-Netlogin-VLAN-Name

This attribute specifies a destination VLAN name that the RADIUS server sends to the switch after successful authentication.

The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.

The following describes the guidelines for VSA 203:
  • For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
  • To specify the VLAN name, use an ASCII string.
  • When using this VSA, do not specify whether the VLAN is tagged or untagged.
Because the RADIUS server can identify a target VLAN with multiple attributes, the switch selects the appropriate VLAN or VLANs using the order:
  • Extreme-Netlogin-Extended-VLAN (VSA 211)
  • Extreme-Netlogin-VLAN-Name (VSA 203)
  • Extreme-Netlogin-VLAN-ID (VSA 209)
  • Tunnel-Private-Group-ID, but only if Tunnel-Type == VLAN(13) and Tunnel-Medium-Type == 802 (6) (see Standard RADIUS Attributes Used by Extreme Switches)

If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.

When added to the RADIUS users file, the following example specifies the destination VLAN name, purple, for the associated user:

Extreme: Extreme-Netlogin-VLAN-Name = purple

VSA 204: Extreme-Netlogin-URL

The Extreme-NetLogin-Url attribute specifies a web page URL that the RADIUS server sends to the switch after successful authentication. When the switch receives the attribute in response to a web-based network login, the switch redirects the web client to display the specified web page. If a login method other than web-based is used, the switch ignores this attribute.

The following describes the guidelines for VSA 204:
  • To specify the URL to display after authentication, use an ASCII string.
  • If you do not specify a URL, the network login infrastructure uses the default redirect page URL, , or the URL that you configured using the configure netlogin redirect-page command.
  • VSA 204 applies only to the web-based authentication mode of Network Login.

The following example specifies the redirection URL to use after successful authentication.

To configure the redirect URL as http://www.myhomepage.com, add the following line:

Extreme: Netlogin-URL = http://www.myhomepage.com

VSA 205: Extreme-Netlogin-URL-Desc

The Extreme-NetLogin-Url-Desc attribute provides a redirection description that the RADIUS s